Key Findings
- University of California study identified 26 third-party LLM routers engaging in credential theft and malicious code injection
- Researchers witnessed Ether withdrawn from a test wallet by a compromised router
- These routing services can read all transmitted messages in plaintext, exposing private keys and recovery phrases
- An automated execution feature called “YOLO mode” enables AI agents to run instructions without requiring user approval
- Security experts advise completely avoiding the transmission of private keys through AI agent platforms
A team from the University of California has uncovered evidence that certain third-party artificial intelligence routing platforms pose significant security risks by harvesting cryptocurrency credentials and inserting harmful code into development environments.
The research team released their findings this week in a comprehensive paper examining what they termed “malicious intermediary attacks” targeting the large language model (LLM) infrastructure ecosystem.
These LLM routing services function as intermediary platforms positioned between developers and major AI providers such as OpenAI, Anthropic, and Google. Their primary role involves managing and directing API requests across various service providers.
The security vulnerability arises because these routing platforms terminate encrypted connections. This architecture grants them complete, unencrypted visibility into every communication that passes through their systems.
Developers utilizing AI-powered coding assistants such as Claude Code for building smart contracts or cryptocurrency wallet applications may unknowingly transmit private keys and seed phrases through these intermediary services.
The research team evaluated 28 commercial routing services and 400 free alternatives collected from online developer communities.
Results revealed nine routers actively inserting malicious code, two employing sophisticated evasion techniques, and 17 capturing researcher-controlled Amazon Web Services authentication credentials.
One routing service successfully withdrew Ether from a deliberately created decoy wallet. The financial impact of this incident totaled less than $50.
According to the researchers, distinguishing between legitimate credential processing and actual theft presents an almost insurmountable challenge for users, given that routers already possess plaintext access to sensitive information as part of their core functionality.
Automated Execution Amplifies Vulnerability
The published paper highlighted a configuration option present in numerous AI agent frameworks known as “YOLO mode.” When enabled, this setting allows an AI agent to carry out commands automatically, bypassing individual user authorization for each action.
This configuration dramatically increases security exposure. When a router introduces malicious directives, YOLO mode enables those directives to execute without any human oversight.
The research team also discovered that routing services with previously clean security records can transition to malicious behavior without operators detecting the change. Free routing services, specifically, may leverage discounted API pricing as bait to attract users while covertly extracting credentials.
Security Recommendations
The research team urged developers to implement robust client-side security measures and completely avoid transmitting private keys or seed phrases within AI agent sessions.
For sustainable protection, the researchers proposed that AI companies implement cryptographic signing for their responses. This would enable developers to authenticate that instructions received by an agent genuinely originated from the designated model.
Co-author Chaofan Shou shared on X that “26 LLM routers are secretly injecting malicious tool calls and stealing creds.”
The research team emphasized that LLM API routing services occupy a crucial trust position that the wider AI industry presently assumes to be secure without verification.
The published paper did not include specific details such as blockchain transaction identifiers for the compromised wallet incident.
